This seems like a silly question but can someone point me to where I can see a document that describes which way around the interfaces are defined for inbound and outbound. I found a document once but didn't save it and now I want to go back and convince someone ours configured the wrong way around I can't find it.
I believe that traffic reports will show alerts being inbound if they hit the interface which is configured as the Outside network and,
Alerts being outbound if they hit the interface configured as Inside network.
Outside interface is the one closest to the internet and inside interface is closest to your internal network?
please confirm or show me a doc.
Your definition is correct:
- Inbound traffic is all traffic where the connection is initiated on the defined outside interface of an inline monitoring port
- Outbound traffic is all traffic where the connection is initiated on the defined inside interface of an online monitoring port
Correctly defining the outside/inside interfaces is quite important - just as an example, a couple of points:
- Subinterfaces/virtual interfaces: when defining subinterfaces, you can only define them by using 'internal' CIDR/VLAN details
- If using NTBA, the inside/outside port configuration may affect the Internal/External NTBA zones and policies